[c-nsp] DNS rewrite & global capabilities

Roland Dobbins rdobbins at arbor.net
Wed Jul 1 07:39:40 EDT 2009 

On Jul 1, 2009, at 2:05 PM, Quinn Mahoney wrote:

> That's not saying a whole lot.  You could always get more bandwidth  
> and
> more servers.  That doesn't mean it's not helpful to have a  
> specialized
> device multiplexing the connections to the servers, and doing more
> sophisticated analysis of the packets before sending them to the  
> server.

On the contrary, it's absolutely detrimental to attempt to perform  
such analysis on a device which is yet another attack vector, and  
which can easily be overwhelmed due to its limited stateful capacity  
(multiplexing is useful, but is unrelated to this general topic).

I speak from personal hands-on operational experience, and from the  
personal hands-on operational experience of others who with whom I've  
worked in this sector.

> "You are claiming that certain firewalls/load-balancers can't firewall
> and inspect packets at millions of packets per second.  This claim is
> inconsistent with current data.

I know how these devices work from the inside-out, having utilized,  
deployed, and participated in feature specifications for same.  They  
don't do what you claim, and can't ever, due to their inherent design  
principles.

> These packets are the same as legit packets, I do not believe a fully
> effective automated system exists.

My hands-on personal operational experience detecting, classifying,  
tracing back, and mitigating multi-gb/sec, multi-mpps DDoS attacks  
using precisely the approaches I've outlined indicate otherwise.

> Not really saying a whole lot again. My argument was not that the
> products you refer to aren't a part of an effective security solution.


My arguments are based on large-scale operational experience and  
detailed knowledge of this topic and of the performance envelopes/ 
characteristics of these types of devices in real-world situations, as  
well as from a design and development perspective.  They are factual,  
and represent ground truth, not opinions.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

         Unfortunately, inefficiency scales really well.

		   -- Kevin Lawton

More information about the cisco-nsp mailing list